This is an automated email from the ASF dual-hosted git repository.
martijnvisser pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/flink-web.git
commit 59131495a71512e89e655a574f764410a5714497
Author: Martijn Visser <mvis...@confluent.io>
AuthorDate: Tue Sep 19 12:53:25 2023 +0200
Update Security pages and Statefun 3.3.0 release announcement to include
details about CVE-2023-41834
---
docs/content.zh/security.md | 12 ++++++++++++
docs/content/posts/2023-09-19-release-statefun-3.3.0.md | 13 +++++++++++++
docs/content/security.md | 12 ++++++++++++
3 files changed, 37 insertions(+)
diff --git a/docs/content.zh/security.md b/docs/content.zh/security.md
index 1498e705a..acdef0e2b 100644
--- a/docs/content.zh/security.md
+++ b/docs/content.zh/security.md
@@ -72,6 +72,18 @@ This section lists fixed vulnerabilities in Flink.
Users are advised to upgrade to Flink 1.11.3 or 1.12.0
or later versions.
</td>
</tr>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41834";>CVE-2023-41834</a>
+ </td>
+ <td>
+ Flink Stateful Functions 3.1.0, 3.1.1, 3.2.0
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink-statefun/commit/b06c0a23a5a622d48efc8395699b2e4502bd92be";>Fixed
in commit b06c0a23a5a622d48efc8395699b2e4502bd92be</a> <br>
+ Users are advised to upgrade to Flink Stateful
Functions 3.3.0 or later versions.
+ </td>
+ </tr>
</table>
diff --git a/docs/content/posts/2023-09-19-release-statefun-3.3.0.md
b/docs/content/posts/2023-09-19-release-statefun-3.3.0.md
index 39051c4a9..b0985e0cb 100644
--- a/docs/content/posts/2023-09-19-release-statefun-3.3.0.md
+++ b/docs/content/posts/2023-09-19-release-statefun-3.3.0.md
@@ -23,6 +23,19 @@ or [JIRA](https://issues.apache.org/jira/browse/FLINK)!
## New Features
+### Fixed CVE-2023-41834
+
+Stateful Functions versions 3.1.0, 3.1.1 and 3.2.0 allowed HTTP header
+injection due to Improper Neutralization of CRLF Sequences. Attackers could
+potentially inject malicious content into the HTTP response that is
+sent to the user. This could include injecting a fake login form or
+other phishing content, or injecting malicious JavaScript code that
+can steal user credentials or perform other malicious actions on the
+user's behalf.
+
+Stateful Functions 3.3.0 has fixed this security vulnerability. More details
can be found on the
+[Security]({{< relref "security" >}}) page.
+
### Upgraded Flink dependency to 1.16.2
Stateful Functions 3.3.0 runtime uses Flink 1.16.2 underneath.
diff --git a/docs/content/security.md b/docs/content/security.md
index 1498e705a..acdef0e2b 100644
--- a/docs/content/security.md
+++ b/docs/content/security.md
@@ -72,6 +72,18 @@ This section lists fixed vulnerabilities in Flink.
Users are advised to upgrade to Flink 1.11.3 or 1.12.0
or later versions.
</td>
</tr>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41834";>CVE-2023-41834</a>
+ </td>
+ <td>
+ Flink Stateful Functions 3.1.0, 3.1.1, 3.2.0
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink-statefun/commit/b06c0a23a5a622d48efc8395699b2e4502bd92be";>Fixed
in commit b06c0a23a5a622d48efc8395699b2e4502bd92be</a> <br>
+ Users are advised to upgrade to Flink Stateful
Functions 3.3.0 or later versions.
+ </td>
+ </tr>
</table>
